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1.A company has discovered unauthorized devices are using its WiFi network, and it 
wants to harden the access point to improve security. 
Which f the following configuration should an analysis enable To improve security? 
(Select TWO.) 
A. RADIUS 
B. PEAP 
C. WPS 
D. WEP-EKIP 
E. SSL 
F. WPA2-PSK 
Answer: A, F 
Explanation: 
To improve the security of the WiFi network and prevent unauthorized.devices from 
accessing the network, the configuration options of RADIUS and WRA2-PSK should 
be enabled. RADIUS (Remote Authentication Dial-In User Servig@) is an 
authentication protocol that can be used to control access to teé WiFi network. It can 
provide stronger authentication and authorization than WERSand WPA. 
WPA2-PSK (WiFi Protected Access 2 with Pre-Shared KEY) is a security protocol that 
uses stronger encryption than WEP and WPA. It requis a pre-shared key (PSK) to 
be entered on each device that wants to access the’network. This helps prevent 
unauthorized devices from accessing the netwok. 
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2.During an incident a company CIRT défermine it is necessary to observe the 
continued network-based transaction ‘between a callback domain and the malware 
running on an enterprise PC. 4° 
Which of the following techniqués would be BEST to enable this activity while 
reducing the risk of lateral spfead and the risk that the adversary would notice any 
changes? D 
A. Physical move the RÊ to a separate internet pint of presence 
B. Create and applyemicro segmentation rules. 
C. Emulate the malware in a heavily monitored DM Z segment. 
D. Apply netwotk blacklisting rules for the adversary domain 
Answer: C 
Explanation: 
To observe the continued network-based transaction between a callback domain and 
the malware running on an enterprise PC while reducing the risk of lateral soread and 
the risk that the adversary would notice any changes, the best technique to use is to 
emulate the malware in a heavily monitored DMZ segment. This is a secure 
environment that is isolated from the rest of the network and can be heavily monitored 
to detect any suspicious activity. By emulating the malware in this environment, the 
activity can be observed without the risk of lateral spread or detection by the 
adversary. 


Reference: https://www.sans.org/blog/incident-response-fundamentals-why-is-the- 
dmz-so-important/ 


3.Which of the following environment utilizes dummy data and is MOST to be installed 

locally on a system that allows to be assessed directly and modified easily wit each 

build? 

A. Production 

B. Test 

C. Staging 

D. Development 

Answer: D 

Explanation: X 

The environment that utilizes dummy data and is most likely to be installed locally on 

a system that allows it to be assessed directly and modified easily with each build is 

the development environment. The development environmentdé used for developing 

and testing software and applications. It is typically installed’on a local system, rather 

than on a remote server, to allow for easy access and modification. Dummy data can 

be used in the development environment to simulate gél- world scenarios and test the 

software's functionality. ee 

Reference: https://www.techopedia. com/definitigr/27561 /development- environment 
ca 

4.A desktop support technician recent\ysistalled a new document-scanning software 

program on a computer. However, when the end user tried to launch the program, it 

did not respond. G 

Which of the following is MOSEfkely the cause? 

A. A new firewall rule is needéd to access the application. 

B. The system was quarantined for missing software updates. 

C. The software was net added to the application whitelist. 

D. The system wagisolated from the network due to infected software 

Answer: C <S 

Explanation: a 

The most likely cause of the document-scanning software program not responding 

when launched by the end user is that the software was not added to the application 

whitelist. An application whitelist is a list of approved software applications that are 

allowed to run on a system. If the software is not on the whitelist, it may be blocked 

from running by the system's security policies. Adding the software to the whitelist 

should resolve the issue and allow the program to run. 

Reference: https:/www.techopedia.com/definition/31541/application-whitelisting 


5.A company recently experienced an attack during which its main website was 


Directed to the attacker's web server, allowing the attacker to harvest credentials from 
unsuspecting customers,. 
Which of the following should the 
company implement to prevent this type of attack from occurring In the future? 
A. IPsec 
B. SSL/TLS 
C. ONSSEC 
D. SMIME 
Answer: B 
Explanation: 
To prevent attacks where the main website is directed to the attacker's web server 
and allowing the attacker to harvest credentials from unsuspecting customers, the 
company should implement SSL/TLS (Secure Sockets Layer/TransporLayer 
Security) to encrypt the communication between the web server andthe clients. This 
will prevent attackers from intercepting and tampering with the cgtfimunication, and 
will also help to verify the identity of the web server to the client. 
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6.A security engineer is installing a WAF to protect the Company's website from 
malicious web requests over SSL. < 

Which of the following is needed to meet the objettive? 

A. A reverse proxy 3 

B. A decryption certificate e 
C. A split-tunnel VPN Ro 


D. Load-balanced servers ef 


$ 


Answer: B 5 
Explanation: of 
A Web Application Firewall (AF) is a security solution that protects web applications 
from various types of attacks such as SQL injection, cross-site scripting (XSS), and 
others. It is typically deployed in front of web servers to inspect incoming traffic and 
filter out malicious xequests. 

To protect the company’s website from malicious web requests over SSL, a 
decryption certfficate is needed to decrypt the SSL traffic before it reaches the WAF. 
This allows the WAF to inspect the traffic and filter out malicious requests. 


7.A security analyst has received several reports of an issue on an internal web 
application. Users state they are having to provide their credentials twice to log in. 
The analyst checks with the application team and notes this is not an expected 
behavior. 

After looking at several logs, the analyst decides to run some commands on the 
gateway and obtains the following output: 


Internet address Physical address Type 


192.168.1.1 ff-ec-ab-00-aa-78 dynamic 
£92 168 2t_5 f£-00-5e-48-00-fb dynamic 
192.168.1.8 00-Oc-29-la-e7-fa dynamic 
132 .168.1.10 fe-41-5e-48-00-f£ dynamic 
224.215.54.47 fc-00-5e-48-00-fb static 


Which of the following BEST describes the attack the company is experiencing? 
A. MAC flooding 
B. URL redirection 
C. ARP poisoning 
D. DNS hijacking 
Answer: C PG 
Explanation: S 
The output of the “netstat -ano” command shows that there are tw® connections to 
the same IP address and port number. This indicates that there two active 
sessions between the client and server. 
The issue of users having to provide their credentials twigé to log in is known as a 
double login prompt issue. This issue can occur due toWarious reasons such as 
incorrect configuration of authentication settings, inébrrect configuration of web server 
settings, or issues with the client’s browser. s? 
Based on the output of the “netstat -ano” comńfand, it is difficult to determine the 
exact cause of the issue. However, it is possible that an attacker is intercepting traffic 
between the client and server and stealing user credentials. This type of attack is 
known as C. ARP poisoning. a 
ARP poisoning is a type of attack where an attacker sends fake ARP messages to 
associate their MAC address with the IP address of another device on the network. 
This allows them to interceptfraffic between the two devices and steal sensitive 
information such as user g edentials. 
P 
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8.A company recently experienced an attack during which 5 main website was 
directed to the @tack-er’s web server, allowing the attacker to harvest credentials 
from unsuspecting customers. 
Which of the following should the company Implement to prevent this type of attack 
from occurring in the future? 
A. IPsec 
B. SSL/TLS 
C. DNSSEC 
D. S/MIME 
Answer: C 
Explanation: 
The attack described in the question is known as a DNS hijacking attack. In this type 


of attack, an attacker modifies the DNS records of a domain name to redirect traffic to 
their own server. This allows them to intercept traffic and steal sensitive information 
such as user credentials. 

To prevent this type of attack from occurring in the future, the company should 
implement C. 

DNSSEC. 

DNSSEC (Domain Name System Security Extensions) is a security protocol that adds 
digital signatures to DNS records. This ensures that DNS records are not modified 
during transit and prevents DNS hijacking attacks. 


9.A security engineer is installing a WAF to protect the company's website from 

malicious web requests over SSL. © 

Which of the following is needed to meet the objective? £ 

A. A reverse proxy Ra 

B. A decryption certificate & 

C. A spill-tunnel VPN Pa 

D. Load-balanced servers se 

Answer: B S 

Explanation: se 

A Web Application Firewall (WAF) is a security golution that protects web applications 
i . 4O.. : E 

from various types of attacks such as SQL iņjëction, cross-site scripting (XSS), and 

others. It is typically deployed in front of web servers to inspect incoming traffic and 

filter out malicious requests. E 

To protect the company’s website from malicious web requests over SSL, a 

decryption certificate is needed tofecrypt the SSL traffic before it reaches the WAF. 

This allows the WAF to inspecbffe traffic and filter out malicious requests. 

Cà 
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10.Which of the following BEST describes a social-engineering attack that relies on 
an executive at a small business visiting a fake banking website where credit card 
and account detaifs are harvested? 
A. Whaling © 
B. Spam 
C. Invoice scam 
D. Pharming 
Answer: A 
Explanation: 
A social engineering attack that relies on an executive at a small business visiting a 
fake banking website where credit card and account details are harvested is known 
as whaling. Whaling is a type of phishing attack that targets high-profile individuals, 
such as executives, to steal sensitive information or gain access to their accounts. 


11.If a current private key is compromised, which of the following would ensure it 
cannot be used to decrypt ail historical data? 
A. Perfect forward secrecy 
B. Elliptic-curve cryptography 
C. Key stretching 
D. Homomorphic encryption 
Answer: A 
Explanation: 
Perfect forward secrecy would ensure that it cannot be used to decrypt all historical 
data. Perfect forward secrecy (PFS) is a security protocol that generates a unique 
session key for each session between two parties. This ensures that even if one 
session key is compromised, it cannot be used to decrypt other Sessigps. 
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12.Which of the following environments can be stood up ina abort period of time, 
utilizes either dummy Pa 
data or actual data, and is used to demonstrate and modél system capabilities and 
functionality for a AY 
fixed, agreed-upon < 
duration of time? s? 
A. PoC a 
B. Production e 
C. Test & 
D. Development e 
Answer: A aS 
Explanation: of 
A proof of concept (PoC) environment can be stood up quickly and is used to 
demonstrate and model system capabilities and functionality for a fixed, agreed-upon 
duration of time. This enivironment can utilize either dummy data or actual data. 
Reference: Comp LA Security+ Certification Guide, Exam SY0-501 
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13.After segmenting the network, the network manager wants to control the traffic 
between the segments. 
Which of the following should the manager use to control the network traffic? 
A. A DMZ 
B.AVPNa 
C. A VLAN 
D. An ACL 
Answer: D 
Explanation: 
After segmenting the network, a network manager can use an access control list 


(ACL) to control the traffic between the segments. An ACL is a set of rules that permit 
or deny traffic based on its characteristics, such as the source and destination IP 
addresses, protocol type, and port number. 

Reference: CompTIA Security+ Certification Guide, Exam SY0-501 


14.A security researcher is tracking an adversary by noting its attacks and techniques 
based on its capabilities, infrastructure, and victims. 

Which of the following is the researcher MOST likely using? 

A. The Diamond Model of Intrusion Analysis 

B. The Cyber Kill Chain 

C. The MITRE CVE database 


D. The incident response process PG 
Answer: A S 
Explanation: Ra 
The Diamond Model is a framework for analyzing cyber threatesthat focuses on four 
key elements: ra 
adversary, capability, infrastructure, and victim. By analyzing these elements, security 
researchers ae 
can gain a better understanding of the threat landgefipe and develop more effective 
security strategies. Ki 
4° 
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15.A security engineer needs to create network segment that can be used for 
servers thal require connections from’ untrusted networks. 
Which of the following should the ° Sngineer implement? 


A. An air gap of 

B. A hot site E 
¢ 

C. A VUAN S 

D. A screened subnets” 

Answer: D v 


Explanation: «$ 

A screened subnet is a network segment that can be used for servers that require 
connections from untrusted networks. It is placed between two firewalls, with one 
firewall facing the untrusted network and the other facing the trusted network. This 
setup provides an additional layer of security by screening the traffic that flows 
between the two networks. 

Reference: CompTIA Security+ Certification Guide, Exam SY0-501 


16.one of the attendees starts to notice delays in the connection. and the HTTPS site 
requests are reverting to HTTP. 
Which of the following BEST describes what is happening? 


A. Birthday collision on the certificate key 

B. DNS hacking to reroute traffic 

C. Brute force to the access point 

D. A SSL/TLS downgrade 

Answer: D 

Explanation: 

The scenario describes a Man-in-the-Middle (MitM) attack where the attacker 
intercepts traffic and downgrades the secure SSL/TLS connection to an insecure 
HTTP connection. This type of attack is commonly known as SSL/TLS downgrade 
attack or a stripping attack. The attacker is able to see and modify the communication 
between the client and server. 


2 
17.A major clothing company recently lost a large amount of proprietary information. 
The security officer must find a solution to ensure this never happens again. 
Which of the following is the BEST technical implementa toxprevent this from 
happening again? $ 
A. Configure DLP solutions se 
B. Disable peer-to-peer sharing aS 
C. Enable role-based ee 
D. Mandate job rotation a 
E. Implement content filters 
Answer: A © 
Explanation: ro 
Data loss prevention (DLP) solutions,can prevent the accidental or intentional loss of 
sensitive data. DLP tools can identtly and protect sensitive data by classifying and 
categorizing it, encrypting it, oblocking it from being transferred outside the 
organization's network. Foà 
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18.The spread of mi information surrounding the outbreak of a novel virus on election 
day led to eligiblevoters choosing not to take the risk of going the polls. 
This is an exarfiple of: 
A. prepending. 
B. an influence campaign. 
C. a watering-hole attack. 
D. intimidation. 
E. information elicitation. 
Answer: B 
Explanation: 
This scenario describes an influence campaign, where false information is spread to 
influence or manipulate people's beliefs or actions. In this case, the misinformation led 
eligible voters to avoid polling places, which influenced the outcome of the election. 


19.A company is required to continue using legacy software to support a critical 
service. 
Which of the following BEST explains a risk of this practice? 
A. Default system configuration 
B. Unsecure protocols 
C. Lack of vendor support 
D. Weak encryption 
Answer: C 
Explanation: 
One of the risks of using legacy software is the lack of vendor support. This means 
that the vendor may no longer provide security patches, software updaies, or 
technical support for the software. This leaves the software vulnerable to new security 
threats and vulnerabilities that could be exploited by attackers. Ra 
o” 
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20.A security researcher has alerted an organization thats sensitive user data was 


found for sale on a website. ae 

Which of the following should the organization used6 inform the affected parties? 
A. A An incident response plan a 

B. A communications plan 
C. A business continuity plan e 
D. A disaster recovery plan Ro 


Answer: B z 


„®© 


Explanation: 5 
The organization should use asŚmmunications plan to inform the affected parties. A 
communications plan is a doétment that outlines how an organization will 
communicate with internat and external stakeholders during a crisis or incident. It 
should include detailsssdch as who will be responsible for communicating with 
different stakehold vs, what channels will be used to communicate, and what 
messages will bestommunicated. 

An incident response plan is a document that outlines the steps an organization will 
take to respond to a security incident or data breach. A business continuity plan is a 
document that outlines how an organization will continue to operate during and after a 
disruption. A disaster recovery plan is a document that outlines how an organization 
will recover its IT infrastructure and data after a disaster. 


21.A company wants to modify its current backup strategy to modify its current 
backup strategy to minimize the number of backups that would need to be restored in 
case of data loss. 

Which of the following would be the BEST backup strategy 


A. Incremental backups followed by differential backups 

B. Full backups followed by incremental backups 

C. Delta backups followed by differential backups 

D. Incremental backups followed by delta backups 

E. Full backup followed by different backups 

Answer: B 

Explanation: 

The best backup strategy for minimizing the number of backups that need to be 
restored in case of data loss is full backups followed by incremental backups. This 
strategy allows for a complete restoration of data by restoring the most recent full 
backup followed by the most recent incremental backup. 

Reference: CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) 
page 126 © 


22.Which of the following is the MOST secure but LEAST expefisive data destruction 
method for data that is stored on hard drives? ra 
A. Pulverizing 

«F 
B. Shredding N 
C. Incinerating se 
D. Degaussing u 
Answer: B s 
Explanation: 
Shredding may be the most secure angtost -effective way to destroy electronic data 
in any media that contain hard drives-or solid-state drives and have reached their end- 
of-life1. Shredding reduces electrgfic devices to pieces no larger than 2 millimeters2. 
Therefore, shredding is the magf secure but least expensive data destruction method 
for data that is stored on hard drives. 

© 
so 

23.A security anal st is investigating multiple hosts that are communicating to 
external IP addresses during the hours of 2:00 a.m - 4:00 am. The malware has 
evaded detectin by traditional antivirus software. 
Which of the following types of malware is MOST likely infecting the hosts? 
A. A RAT 
B. Ransomware 
C. Polymophic 
D. A worm 
Answer: A 
Explanation: 
Based on the given information, the most likely type of malware infecting the hosts is 
a RAT (Remote Access Trojan). RATs are often used for stealthy unauthorized 
access to a victim's computer, and they can evade traditional antivirus software 


through various sophisticated techniques. In particular, the fact that the malware is 
communicating with external IP addresses during specific hours suggests that it may 
be under the control of an attacker who is issuing commands from a remote location. 
Ransomware, polymorphic malware, and worms are also possible culprits, but the 
context of the question suggests that a RAT is the most likely answer. 


24.Which of the following would be BEST for a technician to review to determine the 
total risk an organization can bear when assessing a "cloud-first" adoption strategy? 
A. Risk matrix 

B. Risk tolerance 

C. Risk register 


D. Risk appetite X 
Answer: B S 

. D 
Explanation: aS 


To determine the total risk an organization can bear, a techniaiain should review the 
organization's risk tolerance, which is the amount of risk the‘Srganization is willing to 
accept. This information will help determine the organizaiion's "cloud-first" adoption 
¢ 

strategy. aS 
Reference: CompTIA Security+ Certification Exam@bjectives (SY0-601) 

a% 
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25.Which of the following cryptographic concepts would a security engineer utilize 
while implementing non-repudiation? (Sélect TWO) 


A. Block cipher $ 
B. Hashing oe 
C. Private key of 
D. Perfect forward secrecy E 

. ¢Y 
E. Salting Re 


F. Symmetric keys eo 

Answer: B, C v 

Explanation: «$ 

Non-repudiatiof is the ability to ensure that a party cannot deny a previous action or 
event. Cryptographic concepts that can be used to implement non-repudiation include 
hashing and digital signatures, which use a private key to sign a message and ensure 
that the signature is unique to the signer. 

Reference: CompTIA Security+ Certification Exam Objectives (SY0-601) 


26.A security analyst notices several attacks are being blocked by the NIPS but does 
not see anything on 

the boundary firewall logs. The attack seems to have been thwarted. 

Which of the following resiliency techniques was applied to the network to prevent this 


attack? 


A. NIC Teaming 

B. Port mirroring 

C. Defense in depth 

D. High availability 

E. Geographic dispersal 

Answer: C 

Explanation: 

Defense in depth is a resiliency technique that involves implementing multiple layers 
of security controls to protect against different types of threats. In this scenario, the 
NIPS likely provided protection at a different layer than the boundary firewall, 
demonstrating the effectiveness of defense in depth. 

Reference: CompTIA Security+ Certification Exam Objectives (SY0- 604) 


27.Which of the following isa risk that is specifically associated with hesting 
applications iin the public cloud? ra 
A. Unsecured root accounts s 
B. Zero day 
C. Shared tenancy S 
D. Insider threat s? 
Answer: C a 
Explanation: 
When hosting applications in the sasia ua, there is a risk of shared tenancy, 
meaning that multiple organizations are sharing the same infrastructure. This can 

c 
potentially allow one tenant to acggé&s another tenant's data, creating a security risk. 
Reference: CompTIA SecuritysCertification Exam Objectives (SY0-601) 
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28.A company is required to continue using legacy software to support a critical 
service. v 

Which of the follwing BEST explains a risk of this practice? 

A. Default systém configuration 

B. Unsecure protocols 

C. Lack of vendor support 

D. Weak encryption 

Answer: C 

Explanation: 

Using legacy software to support a critical service poses a risk due to lack of vendor 
support. Legacy software is often outdated and unsupported, which means that 
security patches and upgrades are no longer available. This can leave the system 
vulnerable to exploitation by attackers who may exploit known vulnerabilities in the 
software to gain unauthorized access to the system. 


Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 1: Attacks, 
Threats, and Vulnerabilities 


29.After a hardware incident, an unplanned emergency maintenance activity was 
conducted to rectify the issue. Multiple alerts were generated on the SIEM during this 
period of time. 
Which of the following BEST explains what happened? 
A. The unexpected traffic correlated against multiple rules, generating multiple alerts. 
B. Multiple alerts were generated due to an attack occurring at the same time. 
C. An error in the correlation rules triggered multiple alerts. 
D. The SIEM was unable to correlate the rules, triggering the alerts. 
Answer: A G 

a 
Explanation: oe 
Multiple alerts were generated on the SIEM during the emergengymaintenance 
activity due to unexpected traffic correlated against multiple rules. The SIEM 
generates alerts when it detects an event that matches a rye i in its rulebase. If the 
event matches multiple rules, the SIEM will generate muylifple alerts. 
Reference: CompTIA Security+ Study Guide, Exam $v0-601, Chapter 3: Architecture 
and Design À 


30.A security administrator is setting up a. SIEM to help monitor for notable events 
across the enterprise. roe 

Which of the following control types; ges this BEST represent? 

A. Preventive oe 


Ll 


B. Compensating o 
C. Corrective E 

h ¢Y 
D. Detective S 

p 

Answer: D L 

l 5 
Explanation: V 


A SIEM is a secufity solution that helps detect security incidents by monitoring for 
notable events‘across the enterprise. A detective control is a control that is designed 
to detect security incidents and respond to them. Therefore, a SIEM represents a 
detective control. 

Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 3: Architecture 
and Design 


31.A network analyst is setting up a wireless access point for a home office in a 
remote, rural location. The requirement is that users need to connect to the access 
point securely but do not want to have to remember passwords. 

Which of the following should the network analyst enable to meet the requirement? 


A. MAC address filtering 

B. 802.1X 

C. Captive portal 

D. WPS 

Answer: D 

Explanation: 

The network analyst should enable Wi-Fi Protected Setup (WPS) to allow users to 
connect to the wireless access point securely without having to remember passwords. 
WPS allows users to connect to a wireless network by pressing a button or entering a 
PIN instead of entering a password. 

Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 4: Identity and 
Access Management 
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32.Which of the following environments utilizes dummy data ands" MOST likely to be 
installed locally on a system that allows code to be assessed difectly and modified 
easily with each build? ra 
A. Production Ka 
& 

B. Test N 
C. Staging S 
D. Development u 
Answer: D 1 
Explanation: 
A development environment is the Saa meni that is used to develop and test 

g 
software. It is typically installed locally on a system that allows code to be assessed 
directly and modified easily with eah build. In this environment, dummy data is often 
utilized to test the software's fusCtionality. 
Reference: CompTIA Securjiy+ Study Guide, Exam SY0-601, Chapter 3: Architecture 
and Design a 


v 
33.While reviewing pcap data, a network security analyst is able to locate plaintext 
usernames and | passwords being sent from workstations to network witches. 
Which of the following is the security analyst MOST likely observing? 
A. SNMP traps 
B. A Telnet session 
C. An SSH connection 
D. SFTP traffic 
Answer: B 
Explanation: 
The security analyst is likely observing a Telnet session, as Telnet transmits data in 
plain text format, including usernames and passwords. 
Reference: CompTIA Security+ Certification Exam Objectives, Exam SY0-601, 1.2 


Given a scenario, analyze indicators of compromise and determine the type of 
malware. 


34.A client sent several inquiries to a project manager about the delinquent delivery 
status of some critical reports. The project manager claimed the reports were 
previously sent via email, but then quickly generated and backdated the reports 
before submitting them as plain text within the body of a new email message thread. 
Which of the following actions MOST likely supports an investigation for fraudulent 
submission? 

A. Establish chain of custody. 

B. Inspect the file metadata. 


C. Reference the data retention policy. PG 
D. Review the email event logs S 
Answer: D Ra 
Explanation: oS 


Reviewing the email event logs can support an investigatiog*for fraudulent 
submission, as these logs can provide details about the JafStory of emails, including 
the message content, timestamps, and sender/receiyet information. 
Reference: CompTIA Security+ Certification Exam@bjectives, Exam SY0-601, 3.2 
Given a scenario, implement appropriate data security and privacy controls. 

ra 

<& 
35.A new vulnerability in the SMB protoeðl on the Windows systems was recently 
discovered, but no patches are currently available to resolve the issue. The security 
administrator is concerned tf servefs in the company's DMZ will be vulnerable to 
external attack; however, the agfninistrator cannot disable the service on the servers, 
as SMB is used by a numberof internal systems and applications on the LAN. 
Which of the following TQP ports should be blocked for all external inbound 
connections to the DMZ as a workaround to protect the servers? (Select TWO). 
A. 135 a 
B. 139 < 
fe) 

C. 143 
D. 161 
E. 443 
F. 445 
Answer: BF 
Explanation: 
To protect the servers in the company’s DMZ from external attack due to the new 
vulnerability in the SMB protocol on the Windows systems, the security administrator 
should block TCP ports 139 and 445 for all external inbound connections to the DMZ. 
SMB uses TCP port 139 and 445. Blocking these ports will prevent external attackers 
from exploiting the vulnerability in SMB protocol on Windows systems. 


Blocking TCP ports 139 and 445 for all external inbound connections to the DMZ can 
help protect the servers, as these ports are used by SMB protocol. Port 135 is also 
associated with SMB, but it is not commonly used. Ports 143 and 161 are associated 
with other protocols and services. 

Reference: CompTIA Security+ Certification Exam Objectives, Exam SY0-601, 1.4 
Compare and contrast network architecture and technologies. 


36.When planning to build a virtual environment, an administrator need to achieve the 
following, 
e Establish polices in Limit who can create new VMs 
e Allocate resources according to actual utilization’ 
e Require justification for requests outside of the standard requirements. 
e Create standardized categories based on size and resource requirétnents. 
Which of the following is the administrator MOST likely trying to gs? 
A. Implement laaS replication o 
B. Product against VM escape $ 
C. Deploy a PaaS S 
D. Avoid VM sprawl S 
Answer: D Ææ 
Explanation: Ku 
The administrator is most likely trying to avoig VM sprawl, which occurs when too 
many VMs are created and managed pools, leading to resource waste and increased 
security risks. The listed actions can hele establish policies, resource allocation, and 
categorization to prevent unnecessary VM creation and ensure proper management. 
Reference: CompTIA Security+ Geification Exam Objectives, Exam SY0-601, 3.6 
Given a scenario, implement taé appropriate virtualization components. 
oi 
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37.A security analyst. ais to verify that a client-server (non-web) application is 
sending encrypted.traiffic. 
Which of the follwing should the analyst use? 
A. openssl 
B. hping 
C. netcat 
D. tcpdump 
Answer: A 
Explanation: 
To verify that a client-server (non-web) application is sending encrypted traffic, a 
security analyst can use OpenSSL. OpenSSL is a software library that provides 
cryptographic functions, including encryption and decryption, in Support of various 
security protocols, including SSL/TLS. It can be used to check whether a client-server 
application is using encryption to protect traffic. 


Reference: CompTIA Security+ Certification Exam Objectives - Exam SY0-601 


38.Ann, a customer, received a notification from her mortgage company stating her 
PII may be shared with partners, affiliates, and associates to maintain day-to-day 
business operations. 
Which of the following documents did Ann receive? 
A. An annual privacy notice 
B. A non-disclosure agreement 
C. A privileged-user agreement 
D. A memorandum of understanding 
Answer: A 
Explanation: X 
Ann received an annual privacy notice from her mortgage company,eAn annual 
privacy notice is a statement from a financial institution or cedia outlines the 
institution's privacy policy and explains how the institution colleéts, uses, and shares 
customers’ personal information. It informs the customer akéut their rights under the 
Gramm-Leach-Bliley Act (GLBA) and the institution's prastices for protecting their 
personal information. oe 
Reference: CompTIA Security+ Certification Exam@bjectives - Exam SY0-601 
a% 
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39.A large enterprise has moved all its data*to the cloud behind strong authentication 
and encryption. A sales director recentlywhad a laptop stolen, and later, enterprise 
data was found to have been compromised from a local database. 
Which of the following was the MgsT likely cause? 


A. Shadow IT oe 
B. Credential stuffing eo 
C. SQL injection Re 


D. Man in the browsen® 

E. Bluejacking v 

Answer: A <S 

Explanation: © 

The most likely cause of the enterprise data being compromised from a local 
database is Shadow IT. 

Shadow IT is the use of unauthorized applications or devices by employees to access 
company resources. In this case, the sales director's laptop was stolen, and the 
attacker was able to use it to access the local database, which was not secured 
properly, allowing unauthorized access to sensitive data. 

Reference: 

CompTIA Security+ Certification Exam Objectives - Exam SY0-601 


40.The following are the logs of a successful attack. 


[DATA] attac kag service ftp on port 21 

[ATTEMPT] 09:0 DLO target 192.168.530.1 Lögin “acm” pase “p@s500rd" 
[ATTEMPT] OF:002:010TC target 152.168.50.1 logis Te ; J 
[AQPTEMPT) O38 :00:010TC target 192.168.50.1 mn “sein” -pasa “AllOw!* 
[ATTEMPT] OF: 00:010TC target 192.1 zat. 2 Jif icir j’ 
[ATTEMPT ) 03:00: 01U0TS target 132.1 os l mn "ad 

(ATTEMPT) O9:00:010TC target 15 7 

[21] [ftp] h i 192.1% : 

1 of 1 target successfully snleted, 1 ¥ mn a ai 


Which of the following controls would be BEST to use to prevent such a breach in the 
future? 
A. Password history @ 
B. Account expiration $ 
C. Password complexity Ra 
D. Account lockout & 
Answer: C s 
Explanation: s 
To prevent such a breach in the future, the BEST consti to use would be Password 
complexity. Password complexity is a security meastire that requires users to create 
strong passwords that are difficult to guess or Oyak. It can help prevent unauthorized 
access to systems and data by making it mge é difficult for attackers to guess or crack 
passwords. 
The best control to use to prevent a brat like the one shown in the logs is password 
complexity. Password complexity requires users to create passwords that are harder 
to guess, by including a mix of upper and lowercase letters, numbers, and special 
characters. In the logs, the attasker was able to guess the user's password using a 
dictionary attack, which mearis that the password was not complex enough. 
Reference: se 
CompTIA Security+ Cetfification Exam Objectives - Exam SY0-601 
n 
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41.During a CHet Information Security Officer (CISO) convention to discuss security 
awareness, the attendees are provided with a network connection to use as a 
resource. As the convention progresses, one of the attendees starts to notice delays 
in the connection, and the HIIPS site requests are reverting to HTTP. 
Which of the following BEST describes what is happening? 
A. Birthday collision on the certificate key 
B. DNS hijacking to reroute traffic 
C. Brute force to the access point 
D. ASSLILS downgrade 
Answer: B 
Explanation: 


The attendee is experiencing delays in the connection, and the HIIPS site requests 
are reverting to HTTP, indicating that the DNS resolution is redirecting the connection 
to another server. DNS hijacking is a technique that involves redirecting a user’s 
requests for a domain name to a different IP address. Attackers use DNS hijacking to 
redirect users to malicious websites and steal sensitive information, such as login 
credentials and credit card details. 

Reference: 

https://www.cloudflare.com/learning/dns/dns-hijacking/ 


42.An organization would like to remediate the risk associated with its cloud service 
provider not meeting its advertised 99.999% availability metrics. 
Which of the following should the organization consult for the exact requirements for 
the cloud provider? S 
A. SLA R 
B. BPA oS 
C. NDA K 
D. MOU S 
Answer: A ` 
Explanation: se 
The Service Level Agreement (SLA) is a contragt between the cloud service provider 
and the organization that stipulates the exactequirements for the cloud provider. It 
outlines the level of service that the providet must deliver, including the minimum 
uptime percentage, support response ties, and the remedies and penalties for 
failing to meet the agreed-upon service levels. 

+O 
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43.An enterprise has hired a outside security firm to facilitate penetration testing on 
its network and applicatigns. The firm has agreed to pay for each vulnerability that ts 
discovered. se 
Which of the following BEST represents the type of testing that is being used? 
A. White-box <S 
B. Red-leam © 
C. Bug bounty 
D. Gray-box 
E. Black-box 
Answer: C 
Explanation: 
Bug bounty is a type of testing in which an organization offers a reward or 
compensation to anyone who can identify vulnerabilities or security flaws in their 
network or applications. The outside security firm has agreed to pay for each 
vulnerability found, which is an example of a bug bounty program. 


44.A retail company that is launching @ new website to showcase the company’s 
product line and other information for online shoppers registered the following URLs: 
* www companysite com 

* shop companysite com 

* about-us companysite com contact-us. companysite com secure-logon company 
site com 

Which of the following should the company use to secure its website if the company is 
concerned with convenience and cost? 

A. A self-signed certificate 

B. A root certificate 

C. A code-signing certificate 


D. A wildcard certificate X 
E. An extended validation certificate S 
Answer: D Ra 
Explanation: oS 


The company can use a wildcard certificate to secure its website if it is concerned 
with convenience and cost. A wildcard certificate can seatire multiple subdomains, 
which makes it cost-effective and convenient for secunfig the various registered 
domains. < 

The retail company should use a wildcard certifieate if it is concerned with 
convenience and cost12. A wildcard SSL certificate i is asingle SSL/TLS certificate 
that can provide significant time and cost ae particularly for small businesses. 
The certificate includes a wildcard charaéter (*) in the domain name field, and can 
secure multiple subdomains of the poematy domain1 


S 
e 
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45.Which of the following dis&ster recovery tests is the LEAST time consuming for the 
disaster recovery team? o` 
A. Tabletop RO 
B. Parallel L 
C. Full interruptigi® 
D. Simulation | 
Answer: A 
Explanation: 
A tabletop exercise is a type of disaster recovery test that simulates a disaster 
scenario in a discussion-based format, without actually disrupting operations or 
requiring physical testing of recovery procedures. It is the least time-consuming type 
of test for the disaster recovery team. 


46.A systems administrator is considering different backup solutions for the IT 
infrastructure. The company is looking for a solution that offers the fastest recovery 


time while also saving the most amount of storage used to maintain the backups. 
Which of the following recovery solutions would be the BEST option to meet these 
requirements? 
A. Snapshot 
B. Differential 
C. Full 
D. Tape 
Answer: B 
Explanation: 
Differential backup is a type of backup that backs up all data that has changed since 
the last full backup. This backup method offers faster recovery than a full backup, as it 
only needs to restore the full backup and the differential backup, reducing the amount 
of data that needs to be restored. It also uses less storage than a full gackup as it 

a 
only stores the changes made from the last full backup. Kå 


> 
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47.After a phishing scam fora user's credentials, the red teg was able to craft 
payload to deploy on a server. The attack allowed the installation of malicious 


software that initiates a new remote session. aS 
Which of the following types of attacks has occurred? 
A. Privilege escalation Ki 
B. Session replay a 
C. Application programming interface RG 
D. Directory traversal ro 
Answer: A Ps 
: : „© 
Explanation: 5 


"Privilege escalation is the act ef exploiting a bug, design flaw, or configuration 

oversight in an operating system or software application to gain elevated access to 

resources that are normally protected from an application or user." In this scenario, 
o, fr ’ 

the red team was ablato install malicious software, which would require elevated 

privileges to accessvand install. Therefore, the type of attack that occurred is privilege 

escalation. <S 

Reference: CofħpTIA Security+ Study Guide, pages 111-112 


48.A cybersecurity administrator needs to implement a Layer 7 security control on a 
network and block potential attacks. 

Which of the following can block an attack at Layer 7? (Select TWO). 

A. HIDS 

B. NIPS 

C. HSM 

D. WAF 

E. NAC 


F.NIDS 

G. Stateless firewall 

Answer: DF 

Explanation: 

A WAF (Web Application Firewall) and NIDS (Network Intrusion Detection System) 
are both examples of Layer 7 security controls. A WAF can block attacks at the 
application layer (Layer 7) of the OSI model by filtering traffic to and from a web 
server. NIDS can also detect attacks at Layer 7 by monitoring network traffic for 
suspicious patterns and behaviors. 

Reference: CompTIA Security+ Study Guide, pages 94-95, 116-118 


49.During an incident, a company's CIRT determines it is necessary tazobserve the 
continued network-based transactions between a callback domain avid the malware 

running on an enterprise PC. ri 

Which of the following techniques would be BEST to enable thig activity while 

reducing the nsk of lateral spread and the risk that the adversary would notice any 

changes? Ka 

A. Physically move the PC to a separate Internet point f presence. 

B. Create and apply microsegmentation rules, «© 

C. Emulate the malware in a heavily monitored pz segment 

D. Apply network blacklisting rules for the adyérsary domain 

Answer: C a 

Explanation: E 

Emulating the malware in a heavily monitored DMZ segment is the best option for 

observing network-based transac#i6ns between a callback domain and the malware 

running on an enterprise PC. Ets approach provides an isolated environment for the 

malware to run, reducing thei sk of lateral soread and detection by the adversary. 

Additionally, the DMZ cap be monitored closely to gather intelligence on the 
adversary's tactics ang techniques. 

Reference: Comp Tia’ Security+ Study Guide, page 129 


sS 
50.A business is looking for a cloud service provider that offers a la carte services, 
including cloud backups, VM elasticity, and secure networking. 
Which of the following cloud service provider types should business engage? 
A. A laaS 
B. PaaS 
C. XaaS 
D. SaaS 
Answer: A 
Explanation: 
Infrastructure as a Service (laaS) providers offer a la carte services, including cloud 


backups, VM elasticity, and secure networking. With laaS, businesses can rent 
infrastructure components such as virtual machines, storage, and networking from a 
cloud service provider. 

Reference: CompTIA Security+ Study Guide, pages 233-234 


51.A security analyst is responding to an alert from the SIEM. The alert states that 
malware was discovered on a host and was not automatically deleted. 

Which of the following would be BEST for the analyst to perform? 

A. Add a deny-all rule to that host in the network ACL 

B. Implement a network-wide scan for other instances of the malware. 

C. Quarantine the host from other parts of the network 


D. Revoke the client's network access certificates PG 

Answer: C om 
Kà 

Explanation: aS 


When malware is discovered on a host, the best course of action is to quarantine the 
host from other parts of the network. This prevents the malware from spreading and 
potentially infecting other hosts. Adding a deny-all rule tohe host in the network ACL 
may prevent legitimate traffic from being processed, implementing a network-wide 
scan is time-consuming and may not be necessaryyand revoking the client's network 
access certificates is an extreme measure that qiay not be warranted. 
Reference: CompTIA Security+ Study Guidegbages 113-114 
<& 
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52.A cybersecurity administrator need to allow mobile BYOD devices to access 
network resources. As the devices re not enrolled to the domain and do not have 
policies applied to them, whichoéf the following are best practices for authentication 
and infrastructure security? (Select TWO). 
A. Create a new networkfor the mobile devices and block the communication to the 
internal network and séfvers 
B. Use a captive portal for user authentication. 
C. Authenticate users using OAuth for more resiliency 
D. Implement SSO and allow communication to the internal network 
E. Use the existing network and allow communication to the internal network and 
servers. 
F. Use a new and updated RADIUS server to maintain the best solution 
Answer: B, C 
Explanation: 
When allowing mobile BYOD devices to access network resources, using a captive 
portal for user authentication and authenticating users using OAuth are both best 
practices for authentication and infrastructure security. A captive portal requires users 
to authenticate before accessing the network and can be used to enforce policies and 
restrictions. OAuth allows users to authenticate using third-party providers, reducing 


the risk of password reuse and credential theft. 
Reference: CompTIA Security+ Study Guide, pages 217-218, 225-226 


53.An analyst is working on an email security incident in which the target opened an 
attachment containing a worm. The analyst wants to implement mitigation techniques 
to prevent further spread. 
Which of the following is the BEST course of action for the analyst to take? 
A. Apply a DLP solution. 
B. Implement network segmentation 
C. Utilize email content filtering, 
D. isolate the infected attachment. 
Answer: B PG 
Explanation: Ze 
Network segmentation is the BEST course of action for the Ae to take to prevent 
further spread of the worm. Network segmentation helps to divide a network into 
smaller segments, isolating the infected attachment from the*rest of the network. This 
helps to prevent the worm from spreading to other devices within the network. 
Implementing email content filtering or DLP solution aight help in preventing the 
email from reaching the target or identifying the wager respectively, but will not stop 
the spread of the worm. 
Reference: CompTIA Security+ Study Guide tanier 5: Securing Network 
Infrastructure, 5.2 Implement Network Segitentation, pp. 286-289 
& 
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54.An enterprise needs to keep cpyptographic keys in a safe manner. 
Which of the following networkeappliances can achieve this goal? 
A. HSM 
B. CASB S 
C. TPM RG 
D. DLP v 
Answer: A <S 
Explanation: © 
Hardware Security Module (HSM) is a network appliance designed to securely store 
cryptographic keys and perform cryptographic operations. HSMs provide a secure 
environment for key management and can be used to keep cryptographic keys safe 
from theft, loss, or unauthorized access. Therefore, an enterprise can achieve the 
goal of keeping cryptographic keys in a safe manner by using an HSM appliance. 
Reference: CompTIA Security+ Certification Exam Objectives, Exam Domain 2.0: 
Technologies and Tools, 2.4 Given a scenario, use appropriate tools and techniques 
to troubleshoot security issues, p. 21 


55.An organization recently acquired an ISO 27001 certification. 
Which of the following would MOST likely be considered a benefit of this certification? 
A. It allows for the sharing of digital forensics data across organizations 
B. It provides insurance in case of a data breach 
C. It provides complimentary training and certification resources to IT security staff. 
D. It certifies the organization can work with foreign entities that require a security 
clearance 
E. It assures customers that the organization meets security standards 
Answer: E 
Explanation: 
ISO 27001 is an international standard that outlines the requirements for an 
Information Security Management System (ISMS). It provides a framework for 
managing and protecting sensitive information using risk managementgprocesses. 
Acquiring an ISO 27001 certification assures customers that the organization meets 
security standards and follows best practices for information secyfity management. It 
helps to build customer trust and confidence in the organizatias’s ability to protect 
their sensitive information. $ 
Reference: CompTIA Security+ Certification Exam Objegtives, Exam Domain 1.0: 
Attacks, Threats, and Vulnerabilities, 1.2 Given a scerdrio, analyze indicators of 
compromise and determine the type of malware, ps 

a% 
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56.A company would like to provide flexibility for employees on device preference. 
However, the company is concerned about supporting too many different types of 
hardware. 
Which of the following deploymenstnodels will provide the needed flexibility with the 
GREATEST amount of controled security over company data and infrastructure? 
A. BYOD g 
B. VDI S 
C. COPE a 
D. CYOD v 
Answer: D <S 
Explanation: © 
Choose Your Own Device (CYOD) is a deployment model that allows employees to 
select from a predefined list of devices. It provides employees with flexibility in device 
preference while allowing the company to maintain control and security over company 
data and infrastructure. CYOD deployment model provides a compromise between 
the strict control provided by Corporate-Owned, Personally Enabled (COPE) 
deployment model and the flexibility provided by Bring Your Own Device (BYOD) 
deployment model. 
Reference: CompTIA Security+ Study Guide, Chapter 6: Securing Application, Data, 
and Host Security, 6.5 Implement Mobile Device Management, pp. 334-335 


57.A security analyst reports a company policy violation in a case in which a large 

amount of sensitive data is being downloaded after hours from various mobile devices 

to an external site. Upon further investigation, the analyst notices that successful login 

attempts are being conducted with impossible travel times during the same time 

periods when the unauthorized downloads are occurring. The analyst also discovers a 

couple of WAPs are using the same SSID, but they have non-standard DHCP 

configurations and an overlapping channel. 

Which of the following attacks is being conducted? 

A. Evil twin 

B. Jamming 

C. DNS poisoning 

D. Bluesnarfing X 

E. DDoS S 

Answer: A R 

Explanation: & 

The attack being conducted is an Evil twin attack. An Evil twin attack involves creating 

a rogue wireless access point (WAP) with the same Seryite Set Identifier (SSID) as a 

legitimate WAP to trick users into connecting to it. One connected, the attacker can 

intercept traffic or steal login credentials. The successful login attempts with 

impossible travel times suggest that an attackerié using a stolen or compromised 

credential to access the external site to which the sensitive data is being downloaded. 

The non-standard DHCP configurations and overlapping channels of the WAPs 

suggest that the attacker is using a ro we WAP to intercept traffic. 

Reference: CompTIA Security+ Certification Exam Objectives, Exam Domain 1.0: 

Attacks, Threats, and Vulnerabilities, 1.4 Compare and contrast types of attacks, p. 8 
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58.A security analyst mug enforce policies to harden an MDM infrastructure. 

The requirements are.ags follows: 

* Ensure mobile deyices can be tracked and wiped. 

* Confirm mobile@evices are encrypted. 

Which of the fotlowing should the analyst enable on all the devices to meet these 
requirements? 

A. A Geofencing 

B. Biometric authentication 

C. Geolocation 

D. Geotagging 

Answer: A 

Explanation: 

Geofencing is a technology used in mobile device management (MDM) to allow 
administrators to define geographical boundaries within which mobile devices can 
operate. This can be used to enforce location-based policies, such as ensuring that 


devices can be tracked and wiped if lost or stolen. Additionally, encryption can be 
enforced on the devices to ensure the protection of sensitive data in the event of theft 
or loss. 

Reference: 

CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 7 


59.A company installed several crosscut shredders as part of increased information 
security practices targeting data leakage risks. 

Which of the following will this practice reduce? 

A. Dumpster diving 

B. Shoulder surfing 


C. Information elicitation X 
D. Credential harvesting Ze 
Answer: A Ra 
Explanation: o” 


Crosscut shredders are used to destroy paper documents afd reduce the risk of data 
leakage through dumpster diving. Dumpster diving is a méthod of retrieving sensitive 
information from paper waste by searching through dis€arded documents. 

Reference: < 

CompTIA Security+ Study Guide, Exam SYO- KO ath Edition, Chapter 2 


ra 


60.Which of the following conditions impacts data sovereignty? 
A. Rights management ó 
B. Criminal investigations aS 
C. Healthcare data of 
D. International operations, 3° 
Answer: D Re 
Explanation: À 
Data sovereignty refers to the legal concept that data is subject to the laws and 
regulations of thetountry i in which it is located. International operations can impact 
data sovereignty as companies operating in multiple countries may need to comply 
with different laws and regulations. 


Reference: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 5 


61.Developers are writing code and merging it into shared repositories several times 
a day, where it is tested automatically. 

Which of the following concepts does this BEST represent? 

A. Functional testing 

B. Stored procedures 

C. Elasticity 


D. Continuous integration 

Answer: D 

Explanation: 

Continuous integration is a software development practice where developers merge 
their code into a shared repository several times a day, and the code is tested 
automatically. This ensures that code changes are tested and integrated 
continuously, reducing the risk of errors and conflicts. 


62.A company uses a drone for precise perimeter and boundary monitoring. 
Which of the following should be MOST concerning to the company? 

A. Privacy 

B. Cloud storage of telemetry data PG 

C. GPS spoofing S 

D. Weather events Ra 
Answer: A & 
Explanation: Ry 
The use of a drone for perimeter and boundary monitoring can raise privacy 
concerns, as it may capture video and images of indiwduals on or near the monitored 
premises. The company should take measures to @risure that privacy rights are not 
violated. a 

Reference: CompTIA Security+ Study Guides Ë xam SY0-601, 4th Edition, Chapter 8 
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63.The security team received a report of copyright infringement from the IP space of 
the corporate network. The reportsrovided a precise time stamp for the incident as 
well as the name of the copyrig#ted files. The analyst has been tasked with 
determining the infringing sọsřce machine and instructed to implement measures to 
prevent such incidents fre occurring again. 
Which of the followingss MOST capable of accomplishing both tasks? 
A. HIDS a 
B. Allow list <| 

fe) 
C. TPM 
D. NGFW 
Answer: D 
Explanation: 
Next-Generation Firewalls (NGFWs) are designed to provide advanced threat 
protection by combining traditional firewall capabilities with intrusion prevention, 
application control, and other security features. NGFWs can detect and block 
unauthorized access attempts, malware infections, and other suspicious activity. They 
can also be used to monitor file access and detect unauthorized copying or 
distribution of copyrighted material. 
A next-generation firewall (NGFW) can be used to detect and prevent copyright 


infringement by analyzing network traffic and blocking unauthorized transfers of 
copyrighted material. Additionally, NGFWs can be configured to enforce access 
control policies that prevent unauthorized access to sensitive resources. 

Reference: CompTIA Security+ Study Guide, Exam SY0-601, 4th Edition, Chapter 6 


64.A user reports trouble using a corporate laptop. The laptop freezes and responds 
slowly when writing documents and the mouse pointer occasional disappears. 
The task list shows the following results 


[Name GPU Yh [ity Peels, 
Cena 
O 1Mbps 


t Thilbps 
Notepad LPM SAE (evi 


Cà 
Which of the following is MOST likely the issue? oe? 
A. RAT < 
B. PUP s? 
C. Spyware a 
D. Keylogger K2 
Answer: C 
Explanation: 
Spyware is malicious software tharČan cause a computer to slow down or freeze. It 
can also cause the mouse poirger to disappear. The task list shows an application 
named "spyware.exe" runnipd, indicating that spyware is likely the issue. 
Reference: sn” 
CompTIA Security+ Getfiication Exam Objectives 6.0: Given a scenario, analyze 
indicators of compromise and determine the type of malware. 
CompTIA Securit- Study Guide, Sixth Edition, pages 125-126 


65.Which of the following function as preventive, detective, and deterrent controls to 
reduce the risk of physical theft? (Select TWO). 

A. Mantraps 

B. Security guards 

C. Video surveillance 

D. Fences 

E. Bollards 

F. Antivirus 

Answer: A, B 


Explanation: 

A - a mantrap can trap those personnal with bad intension(preventive), and kind of 
same as detecting, since you will know if someone is trapped there(detective), and it 
can deter those personnal from approaching as well(deterrent) B - security guards 
can sure do the same thing as above, preventing malicious personnal from 
entering(preventive+deterrent), and notice those personnal as well(detective) 


66.A security assessment found that several embedded systems are running 
unsecure protocols. These Systems were purchased two years ago and the company 
that developed them is no longer in business. 

Which of the following constraints BEST describes the reason the findings cannot be 
remediated? © 

A. inability to authenticate Pa 

B. Implied trust R 

C. Lack of computing power o° 
D. Unavailable patch K 
Answer: D se 
Explanation: RS 
If the systems are running unsecure protocols andthe company that developed them 
is no longer in business, it is likely that there arestio patches available to remediate 
the issue. Pai 

Reference: CompTIA Security+ Certificatiot Exam Objectives 1.6: Given a scenario, 
implement secure protocols. CompTIA Security+ Study Guide, Sixth Edition, pages 


35-36 
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67.Which of the following uséS six initial steps that provide basic control over system 
security by including hardware and software inventory, vulnerability management, and 
continuous monitoring\to minimize risk in all network environments? 

A. ISO 27701 a 

B. The Center fogtnternet Security 

C. SSAE SOC® 

D. NIST Risk Management Framework 

Answer: B 

Explanation: 

The Center for Internet Security (CIS) uses six initial steps that provide basic control 
over system security, including hardware and software inventory, vulnerability 
management, and continuous monitoring to minimize risk in all network environments. 
Reference: 

CompTIA Security+ Certification Exam Objectives 1.1: Compare and contrast different 
types of security concepts. 

CompTIA Security+ Study Guide, Sixth Edition, pages 15-16 


68.The Chief Executive Officer announced a new partnership with a strategic vendor 
and asked the Chief 
Information Security Officer to federate user digital identities using SAML-based 
protocols. 
Which of the following will this enable? 
A. SSO 
B. MFA 
C. PKI 
D. OLP 
Answer: A 
Explanation: 
Federating user digital identities using SAML-based protocols enable’. Single Sign-On 
(SSO), which allows users to log in once and access multiple appfications without 
having to enter their credentials for each one. oF 
Reference: $ 
CompTIA Security+ Certification Exam Objectives 1.3: Explain authentication and 
access controls. CompTIA Security+ Study Guide, Sixth Edition, pages 41-42 
À 
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69.A company was compromised, and a secutity analyst discovered the attacker was 
able to get access to a service account. RS 
The following logs were discovered dug the investigation: 


User account \JHDoe’ does not exist... 
User account ‘VMAdmin’ does not exist... 
User account ‘tomcat’ wrong password... 


User account ‘Admin’ does not exist... 
A 
Which of the foydwing MOST likely would have prevented the attacker from learning 
the service account name? 
A. Race condition testing 
B. Proper error handling 
C. Forward web server logs to a SIEM 
D. Input sanitization 
Answer: D 
Explanation: 
Input sanitization can help prevent attackers from learning the service account name 
by removing potentially harmful characters from user input, reducing the likelihood of 
successful injection attacks. 


Reference: 

CompTIA Security+ Certification Exam Objectives 2.2: Given a scenario, implement 
secure coding techniques. 

CompTIA Security+ Study Guide, Sixth Edition, pages 72-73 


70.The SIEM at an organization has detected suspicious traffic coming a workstation 
in its internal network. An analyst in the SOC the workstation and discovers malware 
that is associated with a botnet is installed on the device A review of the logs on the 
workstation reveals that the privileges of the local account were escalated to a local 
administrator. 

To which of the following groups should the analyst report this real-world event? 

A. The NOC team O 

B. The vulnerability management team £ 
C. The CIRT Ra 
D. The read team o 
Answer: C R 
Explanation: s 
The Computer Incident Response Team (CIRT) is regebnsible for handling incidents 
and ensuring that the incident response plan is followed. 

Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 9 


ra 
© 
71.A financial institution would like to state its customer data in a cloud but still allow 
the data to be accessed and manipulated while encrypted. Doing so would prevent 
the cloud service provider from bgifig able to decipher the data due to its sensitivity. 
The financial institution is not aeficerned about computational overheads and slow 
speeds. 
Which of the following onypfouraphic techniques would BEST meet the requirement? 
A. Asymmetric Ki 
B. Symmetric ar 
C. Homomorphigs® 
D. Ephemeral o 
Answer: B 
Explanation: 
Symmetric encryption allows data to be encrypted and decrypted using the same key. 
This is useful when the data needs to be accessed and manipulated while still 
encrypted. 
Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 6 


72.A company reduced the area utilized in its datacenter by creating virtual 
networking through automation and by creating provisioning routes and rules through 


scripting. 

Which of the following does this example describe? 

A. laC 

B. MSSP 

C. Containers 

D. SaaS 

Answer: A 

Explanation: 

laaS (Infrastructure as a Service) allows the creation of virtual networks, automation, 
and scripting to reduce the area utilized in a datacenter. 

Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 4 


X 
73.A global company is experiencing unauthorized logging due to orédential theft and 
account lockouts caused by brute-force attacks. The company issSonsidering 
implementing a third-party identity provider to help mitigate these attacks. 
Which of the following would be the BEST control for the cgifipany to require from 
prospective vendors? 
A. IP restrictions 
B. Multifactor authentication S 
C. A banned password list a 
D. A complex password policy 
Answer: B e 
Explanation: 2 
Multifactor authentication (MFA) ) would | be the best control to require from a third-party 
identity provider to help mitigate gifacks such as credential theft and brute-force 
attacks. of 
Reference: CompTIA Securjiy+ Study Guide, Exam SY0-601, Chapter 2 
& 

se 
74.An organization,wants to integrate its incident response processes into a workflow 
with automated gécision points and actions based on predefined playbooks. 
Which of the fotlowing should the organization implement? 
A. SIEM 
B. SOAR 
C. EDR 
D. CASB 
Answer: B 
Explanation: 
Security Orchestration, Automation, and Response (SOAR) should be implemented to 
integrate incident response processes into a workflow with automated decision points 
and actions based on predefined playbooks. 
Reference: CompTIA Security+ Study Guide, Exam SY0-601, Chapter 9 


75.A bad actor tries to persuade someone to provide financial information over the 
phone in order to gain access to funds. 

Which of the following types of attacks does this scenario describe? 

A. Vishing 

B. Phishing 

C. Spear phishing 

D. Whaling 

Answer: A 

Explanation: 

Vishing is a social engineering attack that uses phone calls or voicemail messages to 
trick people into divulging sensitive information, such as financial information or login 
credentials. ra 


À 


76.Which of the following must be in place before implementing a BCP? 
A. SLA S 


Cà 
B. AUP rd 
C.NDA ee 
D. BIA a 
Answer: D an 
Explanation: P 


A Business Impact Analysis (BIA) is a eeifcal component of a Business Continuity 
Plan (BCP). It identifies and puontizes critical business functions and determines the 


impact of their disruption. Fa 
Reference: CompTIA Security eStudy Guide 601, Chapter 10 
Fa 
N 


77.A developer is buildifig a new portal to deliver single-pane-of-glass management 
capabilities to custamers with multiple firewalls. To Improve the user experience, the 
developer wants implement an authentication and authorization standard that uses 
security tokens“that contain assertions to pass user Information between nodes. 
Which of the following roles should the developer configure to meet these 
requirements? (Select TWO). 

A. Identity processor 

B. Service requestor 

C. Identity provider 

D. Service provider 

E. Tokenized resource 

F. Notarized referral 

Answer: CD 

Explanation: 


An identity provider (IdP) is responsible for authenticating users and generating 
security tokens containing user information. A service provider (SP) is responsible for 
accepting security tokens and granting access to resources based on the user's 
identity. 


78.An organization wants seamless authentication to its applications. 
Which of the following should the organization employ to meet this requirement? 
A. SOAP 
B. SAML 
C. SSO 
D. Kerberos 
Answer: C ? 
wo 
Explanation: Le 
Single Sign-On (SSO) is a mechanism that allows users to access multiple 
applications with a single set of login credentials. oF 
Reference: CompTIA Security+ Study Guide 601, Chapter $% 
Ca 
79.A security analyst is running a vulnerability scap check for missing patches 
during a suspected security rodent During which: df the following phases of the 
response process is this activity MOST likely ccurring? 
A. Containment © 
B. Identification J 
C. Recovery ó 
D. Preparation 
Answer: B oe 
Explanation: E 
Vulnerability scanning is@ proactive security measure used to identify vulnerabilities 
in the network and systéms. 
Reference: Comp TWA Security+ Study Guide 601, Chapter 4 
Pa 
80.A security engineer needs to build @ solution to satisfy regulatory requirements 
that stale certain critical servers must be accessed using MFA However, the critical 
servers are older and 
are unable to support the addition of MFA, 
Which of the following will the engineer MOST likely use to achieve this objective? 
A. A forward proxy 
B. A stateful firewall 
C. A jump server 
D. A port tap 
Answer: C 


Explanation: 

A jump server is a secure host that allows users to access other servers within a 
network. The jump server acts as an intermediary, and users can access other 
servers via the jump server after authenticating with MFA. 


81.Which of the following environments would MOST likely be used to assess the 
execution of component parts of a system at both the hardware and software levels 
and to measure performance characteristics? 
A. Test 
B. Staging 
C. Development 
D. Production ©% 
Answer: A Kà 
Explanation: R 
The test environment is used to assess the execution of compsħent parts of a system 
at both the hardware and software levels and to measure periormance 
characteristics. Ka 
Reference: CompTIA Security+ Study Guide 601, Chapter 2 
Ka 

Ê 
82.A company is implementing a new SIEM id'log and send alerts whenever 
malicious activity is blocked by its antivirug nd web content filters. 
Which of the following is the primary usecase for this scenario? 
A. Implementation of preventive controls 
B. Implementation of detective controls 
C. Implementation of deterrentontrols 
D. Implementation of corrective controls 
Answer: B s“ 
Explanation: S 
A Security Inform jen and Event Management (SIEM) system is a tool that collects 
and analyzes segfrity-related data from various sources to detect and respond to 
security incideńts. 
Reference: CompTIA Security+ Study Guide 601, Chapter 5 


83.Which of the following in a forensic investigation should be priorities based on the 
order of volatility? (Select TWO). 

A. Page files 

B. Event logs 

C. RAM 

D. Cache 

E. Stored files 


F. HDD 

Answer: C, D 

Explanation: 

In a forensic investigation, volatile data should be collected first, based on the order of 
volatility. RAM and Cache are examples of volatile data. 

Reference: CompTIA Security+ Study Guide 601, Chapter 11 


84. The Chief Technology Officer of a local college would like visitors to utilize the 
school's WiFi but must be able to associate potential malicious activity to a specific 
person. 

Which of the following would BEST allow this objective to be met? 

A. Requiring all new, on-site visitors to configure their devices to use WPS 

B. Implementing a new SSID for every event hosted by the college tat has visitors 
C. Creating a unique PSK for every visitor when they arrive at thg¥eception area 
D. Deploying a captive portal to capture visitors’ MAC address¢& and names 
Answer: D $ 

Explanation: Ka 

A captive portal is a web page that requires visitors tgduthenticate or agree to an 
acceptable use policy before allowing access to the Hetwork. By capturing visitors' 
MAC addresses and names, potential maliciougsctivity can be traced back to a 
specific person. 


85.An analyst Is generating a security report for the management team. Security 
guidelines recommend disabling aiflistening unencrypted services. 
Given this output from Nmap: oÙ 


Which of the following should the analyst recommend to disable? 
A. 21/tcp 

B. 22/tcp 

C. 23/tcp 

D. 443/tcp 

Answer: A 


86.As part of a company's ongoing SOC maturation process, the company wants to 
implement a method to share cyberthreat intelligence data with outside security 
partners. 

Which of the following will the company MOST likely implement? 

A. TAXII 

B. TLP 

C. TTP 

D. STIX 

Answer: A 

Explanation: 

Trusted Automated Exchange of Intelligence Information (TAXII) is a standard 
protocol that enables the sharing of cyber threat intelligence between organizations. It 
allows organizations to automate the exchange of information in a secure and timely 
manner. om 

Reference: CompTIA Security+ Certification Exam Objectives - 3,6 Given a scenario, 


implement secure network architecture concepts. Study GuidesChapter 4, page 167. 
RO 


= 
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87.A security incident has been resolved. a 
Which of the following BEST describes the importane of the final phase of the 
incident response plan? Ki 
A. It examines and documents how well the team responded discovers what caused 
the incident, and determines how the incident can be avoided in the future 
B. It returns the affected systems back ifo production once systems have been fully 
patched, data restored and vulnerabilities addressed 
C. It identifies the incident and thgs$cope of the breach how it affects the production 
environment, and the ingress pgint 
D. It contains the affected systems and disconnects them from the network, 
preventing further spreagot the attack or breach 
Answer: A S 
Explanation: V 
The final phase ofan incident response plan is the post-incident activity, which 
involves examifiing and documenting how well the team responded, discovering what 
caused the incident, and determining how the incident can be avoided in the future. 
Reference: CompTIA Security+ Certification Exam Objectives - 2.5 Given a scenario, 
analyze potential indicators to determine the type of attack. Study Guide: Chapter 5, 
page 225. 


88.Which of the following describes a maintenance metric that measures the average 
time required to troubleshoot and restore failed equipment? 

A. RTO 

B. MTBF 


C.MTTR 

D. RPO 

Answer: C 

Explanation: 

Mean Time To Repair (MTTR) is a maintenance metric that measures the average 
time required to troubleshoot and restore failed equipment. 

Reference: CompTIA Security+ Certification Exam Objectives - 4.6 Explain the 
importance of secure coding practices. Study Guide: Chapter 7, page 323. 


89.Which of the following should a technician consider when selecting an encryption 
method for data that needs to remain confidential for a specific length of time? 


A. The key length of the encryption algorithm X 
B. The encryption algorithm's longevity E 
C. A method of introducing entropy into key calculations aS 

D. The computational overhead of calculating the encryption key 
Answer: B Pa 
Explanation: s 


When selecting an encryption method for data that nae to remain confidential for a 

specific length of time, the longevity of the encryption algorithm should be considered 

to ensure that the data remains secure for the required period. 

Reference: CompTIA Security+ Certification Exam Objectives - 3.2 Given a scenario, 

use appropriate cryptographic methods. Sty Guide: Chapter 4, page 131. 

Ra 
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90.A network analyst is investigatirg compromised corporate information. The analyst 

leads to a theory that network t&ffic was intercepted before being transmitted to the 

internet. 

The following output wassSptured on an internal host: 


Based on the loCS, which of the following was the MOST likely attack used to 
compromise the network communication? 

A. Denial of service 

B. ARP poisoning 

C. Command injection 

D. MAC flooding 


Answer: B 

Explanation: 

ARP poisoning (also known as ARP spoofing) is a type of attack where an attacker 
sends falsified ARP messages over a local area network to link the attacker's MAC 
address with the IP address of another host on the network. 

Reference: CompTIA Security+ Certification Exam Objectives - 2.5 Given a scenario, 
analyze potential indicators to determine the type of attack. Study Guide: Chapter 6, 
page 271. 


91.A security analyst is investigating a phishing email that contains a malicious 

document directed to the company's Chief Executive Officer (CEO). 

Which of the following should the analyst perform to understand the theat and 

retrieve possible loCs? Pa 

A. Run a vulnerability scan against the CEOs computer to find pgsible vulnerabilities 

B. Install a sandbox to run the malicious payload in a safe envifonment 

C. Perform a traceroute to identify the communication paths 

D. Use netstat to check whether communication has begs’ made with a remote host 

Answer: B s“ 

Explanation: se 

To understand the threat and retrieve possible Ipdicators of Compromise (loCs) from 

a phishing email containing a malicious docusttent, a security analyst should install a 

sandbox to run the malicious payload in a, sate environment. 

Reference: CompTIA Security+ Certification Exam Objectives - 2.5 Given a scenario, 

analyze potential indicators to oeterpne the type of attack. Study Guide: Chapter 5, 

page 209. aS 
oF 

S 

92.A customer has reported that an organization's website displayed an image of a 

smiley (ace rather thagpthe expected web page for a short time two days earlier. 

A security analyst reviews log tries and sees the following around the lime of the 


incident: < 


Which of the following is MOST likely occurring? 
A. Invalid trust chain 

B. Domain hijacking 

C. DNS poisoning 


D. URL redirection 

Answer: C 

Explanation: 

The log entry shows the IP address for "www.example.com" being changed to a 
different IP address, which is likely the result of DNS poisoning. DNS poisoning 
occurs when an attacker is able to change the IP address associated with a domain 
name in a DNS server's cache, causing clients to connect to the attacker's server 
instead of the legitimate server. 

Reference: CompTIA Security+ SY0-601 Exam Objectives: 3.2 Given a scenario, 
implement secure network architecture concepts. 


93.Which of the following would produce the closet experience of resp@nding to an 
actual incident response scenario? Pa 
A. Lessons learned Ka 
B. Simulation o 
C. Walk-through K 
D. Tabletop 
Answer: B `n 
Explanation: se 
A simulation exercise is designed to create an exBerience that is as close as possible 
to a real-world incident response scenario. Ititvolves simulating an attack or other 
security incident and then having security personnel respond to the situation as they 
would in a real incident. & 
Reference: CompTIA Security+ SY0Oz 601 Exam Objectives: 1.1 Explain the 
importance of implementing secusify concepts, methodologies, and practices. 

oF 
s 
94.A security analyst wag deploying a new website and found a connection 
attempting to authentigaite on the site's portal. While Investigating. 
The incident, the lyst identified the following Input in the username field: 
Which of the follwing BEST explains this type of attack? 
A. DLL injectioft I to hijack administrator services 
B. SQLi on the field to bypass authentication 
C. Execution of a stored XSS on the website 
D. Code to execute a race condition on the server 
Answer: B 
Explanation: 
The input "admin' or 1=1--" in the username field is an example of SQL injection 
(SQLi) attack. In this case, the attacker is attempting to bypass authentication by 
injecting SQL code into the username field that will cause the authentication check to 
always return true. 
Reference: CompTIA Security+ SY0-601 Exam Objectives: 3.1 Given a scenario, use 


appropriate software tools to assess the security posture of an organization. 


95.The Chief Information Security Officer directed a risk reduction in shadow IT and 
created a policy requiring all unsanctioned high-risk SaaS applications to be blocked 
from user access. 
Which of the following is the BEST security solution to reduce this risk? 
A. CASB 
B. VPN concentrator 
C.MFA 
D. VPC endpoint 
Answer: A 
Explanation: X 
A Cloud Access Security Broker (CASB) can be used to monitor angčontrol access to 
cloud-based applications, including unsanctioned SaaS applicatigs. It can help 
enforce policies that prevent access to high-risk SaaS applicatiðns and provide 
visibility into the use of such applications by employees. R 
Reference: CompTIA Security+ SY0-601 Exam Objectives: 3.3 Given a scenario, 
implement secure mobile solutions. aÝ 
$ 
Ki 
96.After a WiFi scan of a local office was coņäúctea, an unknown wireless signal was 
identified Upon investigation, an unknown Raspberry Pi device was found connected 
to an Ethernet port using a single conneétion. 
Which of the following BEST describes the purpose of this device? 
A. loT sensor Fa 
B. Evil twin of 
C. Rogue access point gE 
D. On-path attack S 
Answer: C a 
; ó 
Explanation: V 
A Raspberry Pi dévice connected to an Ethernet port could be configured as a rogue 
access point, atlowing an attacker to intercept and analyze network traffic or perform 
other malicious activities. 
Reference: CompTIA Security+ SY0-601 Exam Objectives: 3.2 Given a scenario, 
implement secure network architecture concepts. 


97.Remote workers in an organization use company-provided laptops with locally 
installed applications and locally stored data Users can store data on a remote server 
using an encrypted connection. The organization discovered data stored on a laptop 
had been made available to the public. 

Which of the following security solutions would mitigate the risk of future data 


disclosures? 

A. FDE 

B. TPM 

C. HIDS 

D. VPN 

Answer: A 

Explanation: 

Based on these definitions, the best security solution to mitigate the risk of future data 
disclosures from a laptop would be FDE123. FDE would prevent unauthorized access 
to the data stored on the laptop even if it is stolen or lost. FDE can also use TPM to 
store the encryption key and ensure that only trusted software can decrypt the data3. 
HIDS and VPN are not directly related to data encryption, but they can provide 
additional security benefits by detecting intrusions and protecting nee traffic 


respectively. v 
V 
> 
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98.A security researcher has alerted an organization that itsSensitive user data was 
found for sale on a website. Ka 
Which of the following should the organization use tojfform the affected parties? 
A. An incident response plan À 
B. A communications plan s? 
C. A business continuity plan a 
D. A disaster recovery plan e 
Answer: B & 
Explanation: Ea 
A communications plan should bestised to inform the affected parties about the sale of 
sensitive user data on a website’ The communications plan should detail how the 
organization will handle media i inquiries, how to communicate with customers, and 
how to respond to other interested parties. 
À 

v 
99.An organizatiof s Chief Information Security Officer is creating a position that will 
be responsibleYor implementing technical controls to protect data, including ensuring 
backups are properly maintained. 
Which of the following roles would MOST likely include these responsibilities? 
A. Data protection officer 
B. Data owner 
C. Backup administrator 
D. Data custodian 
E. Internal auditor 
Answer: D 
Explanation: 
The responsibilities of ensuring backups are properly maintained and implementing 


technical controls to protect data are the responsibilities of the data custodian role. 
Reference: CompTIA Security+ Study Guide by Emmett Dulaney, Chapter 7: 
Securing Hosts and Data, Data Custodian 


100.Which of the following would MOST likely be identified by a credentialed scan but 
would be missed by an uncredentialed scan? 

A. Vulnerabilities with a CVSS score greater than 6.9. 

B. Critical infrastructure vulnerabilities on non-IP protocols. 

C. CVEs related to non-Microsoft systems such as printers and switches. 

D. Missing patches for third-party software on Windows workstations and servers. 
Answer: D 

Explanation: 

An uncredentialed scan would miss missing patches for third-party gware on 
Windows workstations and servers. A credentialed scan, howeveft’can scan the 
registry and file system to determine the patch level of third- -pasty applications. 
Reference: CompTIA Security+ Study Guide by Emmett Dulaney, Chapter 4: Identity 
and Access Management, The Importance of Credentials Scans 
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